Marriott Says Hack Was Smaller Than Originally Thought, but 5.25 Million Passport Numbers Were Stolen

Marriott disclosed Friday that fewer guests than originally thought were affected by a massive computer hacking attack but that more than five million passport numbers were stolen.

Marriott said about 5.25 million passport numbers were taken in the incident, which US officials believe was masterminded by the Chinese government.

An additional 20.3 million encrypted passport numbers were also taken but there is no evidence hackers were able to decipher that data, Marriott said.

Marriott initially disclosed the hack – one of the biggest ever – on November 30, saying up to 500 million consumers of former Starwood properties were affected and that some combinations of names, addresses, emails or passport numbers were taken for some 327 million guests. Marriott bought Starwood in 2016.

The update follows more extensive investigation since the initial disclosure, the company said.

“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott,” said Marriott Chief Executive Arne Sorenson.

The hotelier now estimates that up to 383 million records were pilfered in the incident, cutting the original figure after data forensics eliminated duplicates.

US Secretary of State Mike Pompeo said last month US officials believed the Marriott hack was part of an espionage effort directed by Beijing that has targeted health insurers and the US civil service employment database.

The United States and China are embroiled in a wide-ranging trade war. Policy architects in the Trump administration say they are countering entrenched industrial policies by Beijing, which they allege involve widespread cybertheft.